CVE-2025-8366 is a cross-site scripting (XSS) vulnerability identified in version 2.9 of Portabilis i-Educar, an educational management system. The vulnerability resides in the /intranet/educar_servidor_lst.php file, specifically involving the manipulation of the 'nome' and 'matricula_servidor' parameters. An attacker can craft malicious input to these parameters, which is then improperly sanitized or encoded by the application, allowing the injection and execution of arbitrary JavaScript code in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication or prior privileges, and user interaction is necessary to trigger the malicious script, typically by visiting a crafted URL or interacting with a compromised page. The CVSS 4.0 base score is 5.3, reflecting a medium severity rating. The vulnerability does not impact confidentiality or availability directly but poses a risk to integrity and user trust by enabling session hijacking, credential theft, or other malicious actions through script execution. The vendor was notified but has not responded or issued a patch, and while no known exploits are currently active in the wild, public disclosure of the exploit code increases the risk of exploitation. The vulnerability affects a specific version (2.9) of i-Educar, which is a platform used primarily in educational institutions for managing administrative and academic processes.

For European organizations, particularly educational institutions using Portabilis i-Educar 2.9, this vulnerability could lead to unauthorized access to user sessions, theft of sensitive information such as login credentials, and potential manipulation of user interactions within the platform. The impact is heightened in environments where i-Educar is integrated with other critical systems or contains personal data of students and staff protected under GDPR. Exploitation could result in reputational damage, regulatory penalties, and disruption of educational services. Since the vulnerability is remotely exploitable without authentication, attackers can target users via phishing or malicious links, potentially affecting a broad user base. The lack of vendor response and patch availability increases the window of exposure, making timely mitigation essential.

Organizations should implement immediate input validation and output encoding on the affected parameters ('nome' and 'matricula_servidor') within their deployment of i-Educar 2.9, if source code access and modification are possible. Deploying web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting these parameters can provide a temporary protective layer. Educating users to avoid clicking on untrusted links and monitoring logs for unusual requests to /intranet/educar_servidor_lst.php can help detect exploitation attempts. Network segmentation to limit access to the intranet interface and enforcing strict Content Security Policy (CSP) headers can reduce the impact of XSS attacks. Organizations should also consider upgrading to a patched version once available or contacting the vendor for remediation timelines. Regular security assessments and penetration testing focused on input validation controls are recommended to identify similar vulnerabilities.